iPhone X's Face ID challenge: Getting you to trust it

Since the invention of the password, you've been told to keep yours a secret. Now Apple wants your password to be your most public feature: your face.

That may take some convincing. Most people probably haven't been exposed to facial recognition technology in their daily lives. To the degree they're aware of it, they may well be suspicious after years of easily tricked facial recognition software and uncertainty about biometrics in general.

Touch ID had its share of skeptics when it was released, including politicians who raised privacy concerns about biometrics. That was just for fingerprints. Now Apple has to convince you to use your face to get into your iPhone, even as tech companies wrestle with public concerns about security and privacy. But now that people have grown comfortable with Touch ID, Apple has taken it away from you as an option for the iPhone X. It's Face ID or a passcode.

Apple declined to comment beyond the keynote or its public documents about Face ID.

Biometric identifiers offer several advantages over passwords. It's convenient to unlock a device just by looking at it or holding your fingerprint on a scanner, much more so than typing in codes. Biometric "passwords" are hard for hackers to steal, and they don't force you to remember anything. Perhaps best of all: They're unique to you. If law enforcement comes knocking, you might be forced to unlock your device, but that's another story.

Yet facial recognition has a bad rep because of all the failures it's had in the last five years.

The technology has been easily tricked by pictures. It didn't work in the dark. In some cases, people wearing glasses stumped it.

"Earlier facial recognition just didn't work very well," said Dasha Cherepennikova, the chief strategy officer of One World Identity, a privacy research company. "There's a lot of concerns. Apple is saying they made something mass-market that actually works."

To do that, Apple has taken the slow-and-steady approach it always has. It wasn't the first to use a fingerprint scanner to unlock devices and it isn't the first to use facial recognition, either. Apple took its time to make sure Face ID didn't slip into the same pitfalls its predecessors did.

Previous generations of facial recognition proved to be duds after people showed they could easily trick the technology.

Jason Cipriani/CNET

When it's this easy to fool facial recognition technology, public trust in biometric security is bound to drop. Research from RSA Security and Harris Poll found that only 28 percent of consumers trust facial recognition as a password. After Apple announced Face ID, former NSA contractor Edward Snowden, who leaked classified documents about the agency's widespread spying, raised concerns about normalizing facial recognition.

"There's a lot of vendors who rushed facial recognition to market," said Jim Ducharme, RSA's vice president of identity products. "Not only were there concerns about privacy and security, but the usability of it."

The phone scans in 3D, so static images won't work. Apple worked with Hollywood mask makers to defend against fake faces, boasting that it'd be a one-in-a-million chance that Face ID gets tricked by a replica.

"Me holding up a picture of somebody is rather useless because it's not the infrared image," Ducharme said. "The approach that they're using to recognize the face is very different than using a camera to take a selfie."

The iPhone X won't be available until November, so we can't test it for ourselves yet. But Apple has already demonstrated that its facial recognition uses more robust scanning than a single camera.

"Apple basically waited until they had the technology that they could implement how they wanted to," said Andrew Blaich, a security researcher at Lookout. "They took their time, and made sure they had tested it properly."

Keeping private

As with Touch ID, all the data points from your face will be stored on the iPhone X's Secure Enclave, a part of the phone's processor with its own encrypted memory. The data won't be sent to a server that Apple owns, where hackers might be able to break in and steal massive amounts of private information, as happened in an iCloud leak in 2014.

Losing biometric data could be catastrophic for security if hackers do figure out a way to crack into accounts. Your face isn't as easy to change as passwords are.

"That's where a lot of those challenges are for companies like Apple," Chad Holmes, an analyst at Ernst and Young, said. "Vendors are really at notice on how they store their data now."

Storing biometric data on the device instead of a server is a common practice, something Samsung and Microsoft also do for their facial recognition. Hackers would have to get physical access to steal any biometric data. If there are concerns that Apple is secretly sending your facial scans and fingerprints out, a traffic analysis might allay them.

"I've done reverse engineering and watched the data flow for the Secure Enclave. There is no data being sent anywhere," said Pepijn Bruienne, a research engineer with Duo Security. "Face ID will be very similar."

Facing the future

Face ID is here to stay for future generations of the iPhone, which means Apple will have to deliver on its promise for facial recognition. It's already off to a bumpy start: Face ID didn't work during a live demonstration at the iPhone X launch, but Apple said it was because other people were handling the phone ahead of time, forcing the system to request the code instead (similar to TouchID). Apple told Yahoo it worked like it was supposed to.

People won't want a biometric that doesn't work, no matter how cool it seems. Everyone can get by fine with the PIN codes that are already required for the iPhone X. Security and privacy are major concerns for Face ID, but the feature will live and die on convenience.

Apple already introduced features that will help it scan faces in the dark and a neural network that learns to recognize your face over time, even if you grow a beard or acquire a scar.

The iPhone maker might have shown up late on facial recognition, but it was putting precautions in place to make sure it didn't crash and burn.

"If the user experience is very smooth," Blaich said, "you'll see the adoption grow quickly."

Updated at 6:38 a.m. PT: To change the title of the One World Identity executive.